451a70bf85ab73590ecf8d48396873a0b5f7be26c51d33d8bd064c02743ed634

Analysis

max time kernel
59s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
Size

152KB
MD5

5b04126ab6e06a1ee54a634f798ab198
SHA1

44e71878b0bab2f5a51a7819655e31ad31894bfc
SHA256

451a70bf85ab73590ecf8d48396873a0b5f7be26c51d33d8bd064c02743ed634
SHA512

55313ae784f2060b802ff094b11baa0f913784973138666da4c0b19c6ab99ad6a2223437c9ed2df007f31679574148170b012ed3d89c6e98211f3518710c1d68
SSDEEP

1536:/pmg5Tf9u8CjJ6RaMbm4QbjcBMQw0KvrdMFsaMd2L5nvA/RyVUKNG25Tf9uMr:cgZfYbJ6AMVQcM1KPMd2L9AYWmVZfYM

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2560	Spynet-Server (2).exe
1204	Spynet-Server (2).exe
2612	server.exe
2544	server.exe

Loads dropped DLL 7 IoCs

pid	Process
2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
2560	Spynet-Server (2).exe
1204	Spynet-Server (2).exe
1204	Spynet-Server (2).exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d9e-10.dat	upx
behavioral1/memory/2560-28-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1204-50-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2560-290-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1204-316-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2612-318-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2544-338-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2612-578-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Spy-Net\server.exe	Spynet-Server (2).exe
File opened for modification	C:\Program Files (x86)\Spy-Net\server.exe	Spynet-Server (2).exe
File created	C:\Program Files (x86)\Spy-Net\logs.dat	server.exe
File opened for modification	C:\Program Files (x86)\Spy-Net\logs.dat	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2560	Spynet-Server (2).exe
2560	Spynet-Server (2).exe
2612	server.exe
2612	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2544	server.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	Spynet-Server (2).exe
Token: SeDebugPrivilege	2560	Spynet-Server (2).exe
Token: SeDebugPrivilege	2560	Spynet-Server (2).exe
Token: SeDebugPrivilege	2560	Spynet-Server (2).exe
Token: SeDebugPrivilege	2612	server.exe
Token: SeDebugPrivilege	2612	server.exe
Token: SeDebugPrivilege	2612	server.exe
Token: SeDebugPrivilege	2612	server.exe
Token: SeDebugPrivilege	2544	server.exe
Token: SeDebugPrivilege	2544	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2560	2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2560	2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2560	2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2560	2976	5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31
PID 2560 wrote to memory of 1204	2560	Spynet-Server (2).exe	31

C:\Users\Admin\AppData\Local\Temp\5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b04126ab6e06a1ee54a634f798ab198_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Spynet-Server (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Spynet-Server (2).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\Spynet-Server (2).exe
    "C:\Users\Admin\AppData\Local\Temp\Spynet-Server (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1204
  - - C:\Program Files (x86)\Spy-Net\server.exe
      "C:\Program Files (x86)\Spy-Net\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2612
    - - C:\Program Files (x86)\Spy-Net\server.exe
        
        "C:\Program Files (x86)\Spy-Net\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Spynet-Server (2).exe

Filesize
84KB

MD5
3f7aff4e8ea2600baef7872647b0dd49

SHA1
39ab03c76760fc618fb617f5a36c8f3ec5344616

SHA256
b2486cb071c2da6bacca669144ca806603d799a28244c7507f6375816d79d888

SHA512
8e0f7a714f1d8f6cf612c3068a9e91d4b26717e873445e374f6faa42d4d4360c712efc0cb475a9035e00cfad13aaf1c6682c9cd638a6e4341a7e05b16d9a159f

Download Submit
memory/1204-314-0x00000000049B0000-0x00000000049D5000-memory.dmp

Filesize
148KB

Download
memory/1204-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1204-48-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1204-316-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1204-50-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1204-300-0x00000000049B0000-0x00000000049D5000-memory.dmp

Filesize
148KB

Download
memory/1204-32-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2544-338-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2560-49-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2560-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2560-290-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-578-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-318-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2976-25-0x00000000065C0000-0x00000000065E5000-memory.dmp

Filesize
148KB

Download
memory/2976-585-0x00000000065C0000-0x00000000065E5000-memory.dmp

Filesize
148KB

Download
memory/2976-8-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/2976-24-0x00000000065C0000-0x00000000065E5000-memory.dmp

Filesize
148KB

Download
memory/2976-5-0x0000000006530000-0x00000000065B9000-memory.dmp

Filesize
548KB

Download
memory/2976-7-0x0000000006600000-0x000000000663D000-memory.dmp

Filesize
244KB

Download
memory/2976-26-0x0000000004550000-0x0000000004552000-memory.dmp

Filesize
8KB

Download
memory/2976-23-0x00000000065C0000-0x00000000065E5000-memory.dmp

Filesize
148KB

Download
memory/2976-586-0x00000000065C0000-0x00000000065E5000-memory.dmp

Filesize
148KB

Download
memory/2976-6-0x00000000065C0000-0x00000000065FF000-memory.dmp

Filesize
252KB

Download